W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

RE: ezflate: proposal to reinstitute deflate header compression

From: <K.Morgan@iaea.org>
Date: Tue, 3 Jun 2014 07:48:50 +0000
To: <w@1wt.eu>
CC: <ietf-http-wg@w3.org>, <C.Brunhuber@iaea.org>
Message-ID: <0356EBBE092D394F9291DA01E8D28EC201186D994C@sem002pd.sg.iaea.org>
Hi Willy,

On 02 June 2014 21:45, w@1wt.eu wrote:

> On Mon, Jun 02, 2014 at 07:23:05PM +0000, K.Morgan@iaea.org wrote:
>> + Interoperability is easy; any inflate library (e.g. zlib) will decompress ezflate streams
>
> Which makes me fear that it's as prone to DoS attacks as gzip (eg: send
> 1 Mbps of headers which are decompressed as 1 Gbps or headers), and as
> slow (a 40 Gbps capable server will basically scale down to less than
> 1 Gbps due to the cost of the compression).
>

No matter the header scheme, plain-text, hpack, ezflate ... you shouldn't be accepting 1 Gb of headers.  The h2 spec may not limit the size of headers, but any good implmentation will.

> Don't forget that CRIME is not the only weakness of gzip here, it was
> the absolute showstopper, but the other issues remain :-/
>

What other issues?  Please elaborate.
This email message is intended only for the use of the named recipient. Information contained in this email message and its attachments may be privileged, confidential and protected from disclosure. If you are not the intended recipient, please do not read, copy, use or disclose this communication to others. Also please notify the sender by replying to this message and then delete it from your system.
Received on Tuesday, 3 June 2014 07:49:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC